One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8655317 |
| Date de publication | 2025-03-12 14:00:00 (vue: 2025-03-12 15:08:23) |
| Titre | Ghost in the Router: China-Nexus Espionage Actor UNC3886 cible les routeurs de genévriers Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers |
| Texte | Écrit par: Lukasz Lamparski, Punsaen Boonyakarn, Shawn Chew, Frank Tse, Jakub Jozwiak, MathewPotaczek, Logeswaran Nadarajan, Nick Harbour, Mustafa Nasser
Introduction In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks\' Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks\' Junos OS routers. The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device. Mandiant worked with Juniper Networks to investigate this activity and observed that the affected Juniper MX routers were running end-of-life hardware and software. Mandiant recommends that organizations upgrade their Juniper devices to the latest images released by Juniper Networks, which includes mitigations and updated signatures for the Juniper Malware Removal Tool (JMRT). Organizations should run the JMRT Quick Scan and Integrity Check after the upgrade. Mandiant has reported on similar custom malware ecosystems in 2022 and 2023 that UNC3886 deployed on virtualization technologies and network edge devices. This blog post showcases a development in UNC3886\'s tactics, techniques and procedures (TTPs), and their focus on malware and capabilities that enable them to operate on network and edge devices, which typically lack security monitoring and detection solutions, such as endpoint detection and response (EDR) agents. Mandiant previously reported on UNC3886\'s emphasis on techniques to gather and use legitimate credentials to move laterally within a network, undetected. These objectives remained consistent but were pursued with the introduction of a new tool in 2024. Observations in this blog post strengthen our assessment that the actor\'s focus is on maintaining long-term access to victim networks. UNC3886 continues to show a deep understanding of the underlying technology of the appliances being targeted. At the time of writing, Mandiant has not identified any technical overlaps between activities detailed in this blog post and those publicly reported by other parties as Volt Typhoon or Salt Typhoon. Attribution UNC3886 is a highly adept China-nexu |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #//g #/g #backconf #closelog #last #reconfig #relast #relog $pel $pid $tsh $tshd /bin/csh /bin/sh /config/juniper /config/usage /dev /dev/null /gdb/d /mfs/var/etc/syslog /mgd/d /null /root/ /root/d /set/d /usr/lib/libjucomm /var/db/commits /var/db/config/juniper /var/db/config/usage /var/log/auth /var/log/interactive /var/log/messages /var/log/utx /var/log/wtmp /var/log/wtmp0 /var/run/mgd /var/run/snmpd /var/rundb /var/rundb+ /var/rundb+/* /var/tmp/pfed /var/tmp/rts /vi/d 0173BB47A933ae9EC470E6be737D6F646A8C66 06a1f879da398c00522649171526dc968f769093 0b3330c0b41d1ae2 0d| 0x4012f0 0x602820 0x84e90d8 0x86 0x8601328 0xaa56 0xac 0xdeadbeef 0xff 100 101 109 116 118 122:22 126 129 135 136:22 1382a011dae9 140 158 182 184:22 188 189 1;echo 1;rm 1a6d07da7e77a5706af899be4daa74BBE91 1spcq0bmbjwcoezn 2022 2023 2024 222 223 225 244:22 28:22 2>/dev/null 2E9215a203e908483d04dfc0328651d79D35B54f 2c89a18944d3a895bd6432415546635e 300 31234 3243e04afe18cc5e1230D49011e19899 33512 33615 3600; 3751997cfcb03e6B658E9180BC7CCE28a3c25DBB892B661BCD1065723f11f7e 41328 45678 4:2 4a8d 4d| 4fd37426 50520639cf77df0c15c95076fac901E3D04B708 50:22 53| 5724D76f832CE8061f74B0E9f1DCAD90 57e58955 5995aaf5a047565c0d7fe3c80fa34c40E7e8c3E7d4df292316c8472d4ac67a 5bef7608d66112315efff354dae42f49178B7498f994a728ae6203a59f5a2 65dd 73| 7ae38a27494dd6c1BC9ab3c02c3709282E0BCF1E5FCF59A57DC3AE56CFD13B4 8023d01ffb7a38B582F0D598AFB974e 8:22 8ba6 905b18d5df58dd6c16930E318d9574a2ad793C93ad2f68BCA813574E3D854B 98380EC6BFF4E03D3F490CDC6C48C37714450930E4ADF82E6E14D244D8373888 Aac5d83d296df81c9259c9a5333a8423A B9E4784fa0E6283CE6E2094426A02fce BF80C96089D37B8571B5DE7Cab14D9f C0EC15E08B4FB3730c5695FB7B4A6B85F7FE341282AD469E4E141C40EAD310C3 CEC327E51B79CF11B3EEEFFFFF1BE8AS0D66E9529 CF7AF504EF0796D91207E41815187A793D430D85 Irad Jdosd LMPAD Network OEMD Shawn Tinyshell ability able accepting access achieve achieving acknowledgement acquisition across act actions actions: activates activation active activities activity actor actors actors acts actual added addition additional address addressed addresses address adept administration administrative advanced adversaries adversary advised aes affected after against agents alert alerts all allocating allowed allows along already also alter although always analysis analyzing another anti any appid appidd appliances application applied archive archives are argument artifact ascii asia aside assessment associated attacker attempted attempting attributed attribution auditd authentication authentication: authentications author automated automatically available aware awk b64 back backdoor backdoored backdoors backdoor backed backend background backs backup backup: backups bak bak; base64 based basic beacon been before begins behavior behavioral being believe believes between bin binaries binary bind binding binds blog booyakan bounds box bpf bs=1 bug busybox but by: bypass byte bytes bytes: c3d08990 call called campaign can capabilities capabilities: capability capture capturing case cases cat cause causes cc| centralized challenge challenges change changed changes character check checking checks checks: china chow circumvent circumventing clarity clean clears cli client close closed cmd code coded collection combination comes command commands commands: comment commit communicates communicating communication compares component compressed comprises compromise compromised concerted condition: conf conf0 confidence config configs configuration configurations connect connection connections connects consistent consisting constant contain containing contains content content: contents context continually continued continues continuing continuously control controlled controller controls conv=notrunc core could count count=4 covered create created creates creating credentials critical crucial csh ctx curated current currently custom customers customized cve cyber daemon daemon: data database day dd: ddos deadbeef decoded decodes decompress decompressed decrypt decrypted decrypts deep default defense defined demonstrated demonstrates deployed depth |
| Tags | Malware Tool Vulnerability Threat Patching Prediction Cloud Technical |
| Stories | Guam |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.